Why and How to Use Passkeys

Passwords typically suffer from one or more of the following problems: They are not complex enough, they are difficult to remember, or they are saved in a far too insecure way. Although admins are supposed to use a separate, strong password for each IT system, many don’t, and they write down their credentials somewhere they can be easily found; the classic worst case is a sticky note on the monitor. Passwords pose a challenge, not only for the user, but also for admins. For example, you can never be sure whether the password used was entered by the legitimate user or by someone else (e.g., a cybercriminal or bot).

Microsoft, Google, and Apple are now tackling the problem. Google and Apple unveiled the passkey method at their developer conferences to enable passwordless logins with cryptographic keys, making the classic password obsolete.

The Eternal Cat-and-Mouse Game

IT security is not a purely technical challenge but, instead, a human one. However, people should not to be considered the problem or the weakest link. Instead, as it turns out, they are simply the preferred attack vector today. Problems such as phishing, wherein crooks lure the user to a fake website to grab credentials, can always lead to nasty surprises.

IT has therefore continuously invented new and different strategies to reduce the likelihood of users falling victim to an attacker. For example, two-factor authentication (2FA) is a widely implemented approach. It involves a combination of various factors such as knowledge (e.g., password, PIN) and possession (e.g., a transaction authentication number (TAN) generator, an authenticator app) supported by biometrics (e.g., fingerprint). However, even these strategies do not ensure complete security. Attackers have learned how to outsmart both users and IT systems. This cat-and-mouse game goes on wherever you look.

How Passkeys Work

The passkey process is based on the Web Authentication API (WebAuthn), a core component of the FIDO (fast identity online) Alliance’s FIDO2 specifications, and is intended to improve the user experience. It is also committed to making security issues such as weak credentials, lost credentials, and phishing impossible. A passkey is based on public and private keys. When a user registers on a website or with an app, the operating system creates a unique cryptographic key pair in the background for the app user account or website.

The end user’s device itself generates these keys and transmits the first key, which is the public key, to the remote IT system. As with any private-public key method, this public key is not a secret. It doesn’t matter if it is intercepted or stolen from the IT system by some criminal; however, the second key generated is private and is appended to the password manager on Android or the iCloud Keychain on iOS. An external system never learns what the private key is.

The device protects access to this key with the maximum available security. If biometric sensors are present on the device, they can be used to gain access. If this is not the case, the device password is required.

Thanks to passkeys, users no longer need to enter a password to log in to apps and websites. Once generated, any login to an IT system from now on will proceed as follows (Figure 1):